Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

I thought as such since there are certain cases that would cause odd behaviour. When the forwarder is reading the file in (relatively) real-time and they are getting indexed in a similar amount of time, then the added log timestamp would be useful to understand the order of the events when looking at the logs afterwards (outside of Splunk), but since you may have network issues and delays in forwarding/reading the file - if it indexed the entire file at once they'd all have the same timestamp which isn't that useful.